How VMware IT Leveraged the VMware Service-Defined Firewall
Transcript of How VMware IT Leveraged the VMware Service-Defined Firewall
#vmworld
SAI1087BU
How VMware IT Leveragedthe VMware Service-Defined Firewall
Swapnil Hendre, VMware, Inc.Sukhjit Singh, VMware, Inc.
#SAI1087BU
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein. VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc.
Agenda
3
Why is Micro-Segmentation Necessary ?
Application Discovery Process
Micro-Segmentation Use Case Review
Recommendations (Dos and Don’ts)
Q & A
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 4
Traditional Single Application – How Threats Spread ?
WEB WEB WEB WEB
APP APP APP APP
DB DB
Load Balancer
Load Balancer
Perimeter Firewall
Internal Firewall
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 5
WEB WEB WEB WEB
APP APP APP APP
DB DB
Load Balancer
Perimeter Firewall
Internal Firewall
Zero-Trust Using NSX Micro-Segmentation
Load Balancer
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 6
Where We Started
Planning EvaluationApplication Discovery
Global Deployment
Define success criteria
Define test cases
Application Selection- Simple- Complex
Execute POCs
Functional Testing
Publish Results
Production Pilot
Log Insight
vRealize Network Insight
Finalize reference architecture
Operationalization
Phased Global Deployment
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 7
vRealize Log Insight
vRealize Network Insight
vSphere Distributed Switch
SYSLOG collector
Log InsightCompute Cluster
Flow Monitoring(NetFlow)
SYSLOG
Application Discovery Using – Flow Monitoring
VM VM VM VM
VM VM VM VM
VM VM VM VM
VM VM VM VM
VM VM VM VM
VMworld 2019 Content: Not for publication or distribution
8©2019 VMware, Inc.
vRealize Network InsightMicro-Segmentation Planning
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 9
vRealize Network InsightTransformative Operations for Software-Defined Data Center and Cloud
3600 Network Visibility & Analytics
Best Practices, Health and Availability of NSX
Deployment
Security (Micro-segmentation) Modeling & Planning, Audit &
Compliance
Across Physical, Virtual and Cloud
9
CloudVMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 10
DEMO: vRealize Network Insight
VMworld 2019 Content: Not for publication or distribution
11©2019 VMware, Inc.
Micro-Segmentation Use Case Review
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 12
Micro-Segmentation : Use Case Reviews
Securing VDI Using NSX
Securing SAP Using NSX
Securing VMware Cloud On AWS
Securing Horizon Desktop On Azure
VMworld 2019 Content: Not for publication or distribution
13©2019 VMware, Inc.
Securing VMware Cloud on AWS Using NSX
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 14
Native AWS ServicesVMware CloudTM on AWS
Powered by VMware Cloud Foundation
vSphereincl. VIC
vSAN NSX
Operational Management
Customer Data Center AWS Global Infrastructure
vRealize Suite, ISV ecosystem
AWS Global Infrastructure
vCentervCenter
VMware Cloud on AWS Overview
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 15
VMware Cloud On AWS – Securing Workload Using NSX-T
NSX-T Firewall
NSX-T Firewall
Core-services
Multi-factor authentication Load Balancers
Puppet
Security Services
Active Directory
MFA MFA
Pool 1 Pool 2
Core services SDDC
DNS
OpenLDAP
NTP
SMTP
Application 1
Application 2
Application 3
Direct Connect
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 16
DEMO: Public Cloud Security Using NSX-T (VMware Cloud On AWS)
VMworld 2019 Content: Not for publication or distribution
17©2019 VMware, Inc.
Securing Horizon Desktop On Azure Using NSX-Cloud
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 18
Securing Horizon Desktop On AzureMicro-Segmentation Using NSX Cloud
COLO
Gateway
On-premises network
ExpressRoute Circuit
DeploymentEngine
(short lived)
Public IP
Unified Access Gateway
DMZ
Unified Access Gateway
Azure Load Balancer
Base Image(s)
Active Directory
WS1Connector
(optional)
RDS License Server(s)
Node Marketplace
RDS Farm(s)
VDI VDI
Horizon Desktop On Azure
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 19
Securing Horizon Desktop On AzureMicro-Segmentation Using NSX Cloud
Gateway
On-premises networkDeployment
Engine (short lived)
Public IP
Unified Access Gateway
DMZ
Unified Access Gateway
Azure Load Balancer
Base Image(s)
Active Directory
WS1Connector
(optional)
RDS License Server(s)
Node Marketplace
RDS Farm(s)
Horizon Desktop On Azure
COLO
ExpressRoute Circuit
VDIVDI
VMworld 2019 Content: Not for publication or distribution
20©2019 VMware, Inc.
Securing VDI Using NSX Micro-Segmentation
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 21
Secure VDI Infrastructure Using NSX
● Secure communication between Virtual Desktops
Requirement
Challenges prior to NSX
● Could not create firewall rules without hair pinning● Could not create dynamic firewall rules● Complex firewall rules for Layer 2 traffic
Centralized VirtualDesktops
Desktop
VMWAREVIEW
MANAGER
Active Directory
VMware vSphere
Thin Client
NSX Distributed
Firewall
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 22
Secure VDI Infrastructure Using NSX
Centralized Virtual Desktops
Desktop
VMWAREVIEW
MANAGER
Active Directory
VMware vSphere
Thin Client
NSX Distributed
Firewall
● Deploy NSX-DFW and Implement rule to block traffic between resource group
Solution
VDI Resource Group
Firewall Rule
FWR_VDI_Block
SG_VDI_DYN
SG_VDI_DYN
Source
Destination Action
AnyService
VMworld 2019 Content: Not for publication or distribution
23©2019 VMware, Inc.
Securing SAP Using NSX
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 24
User Experience
NWBC
Desktop/VIEW
BI Reporting
App Server
Oracle DB
Business Object
Reporting
Application Lifecycle Management Tools
Netweaver
Oracle DB
Solution
Manager
Netweaver
Oracle DB
Netweaver
Oracle DB
Landscape
Virtualization
Management
System
Landscape
Directory
Training
Data Integration / Delivery
Netweaver
Oracle DB
SAP Landscape
Transformation
Governance, Risk, & Compliance
Netweaver
HANA DB
GRC
Enterprise Applications
Netweaver
Oracle DB
Business Suite
Netweaver
HANA DB
Master Data
Governance Native HANA
App Server
Business Object
DS, IS, IPS, DQM
Netweaver
Oracle DB
Process
Orchestration
Fiori Launchpad
Smartphone/Tablet
HANA DB
App Server
Oracle DB
Vertex O Series
App Server
Oracle DB
uPerform
Productivity Pak
SAPGUI
Desktop/VIEW
BO/BI Tools
Desktop/VIEW
Oracle DB
Netweaver
Oracle DB
Netweaver
Gateway
Content Management
App Server
MaxDB
Content Server
Document Management
Netweaver
Oracle DB
Adobe Document
Services
Micro-Segmentation For SAP Using NSX – Logical Architecture
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 25
App
ERP GRCBI PO MDGSBO
SAP Without Micro-Segmentation
Perimeterfirewall
Insiderouter/firewall
Services
AD NTP DNS BKP MON SMTP
DB
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 26
SAP With Micro-Segmentation Using NSX Distributed Firewalls
● Each VM can now be its own perimeter
● Policies align with logical groups
● Unauthorized traffic is blocked
App
Services
DB
Perimeterfirewall
AD NTP DNS BKP
ERP GRCBI PO MDGSBO
MON
Insidefirewall
SMTP
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 27
Master Nested Security Group
Nested Security Groups
Security Group
Group Members
NSX Security Group Topology For SAP
SG-SAP-ALL
SG1-ERP-APP-DYN SG2-PO-APP-DYN SG16-MDG-APP-DYN SG1-ERP-DB-DYN SG2-PO-DB-DYN SG16-MDG-DB-DYN
SG-SAP-APP SG-SAP-DB
ERP-APP-1 ERP-APP-2 PO-APP-1 PO-APP-2 MDG-APP-1 MDG-APP-2 ERP-DB-1 ERP-DB-2 PO-DB-1 PO-DB-2 MDG-DB-1 MDG-DB-2
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 28
RecommendationsDos and Don’ts
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 29
Recommendations Micro-Segmentation Deployment
PLANNING
• Application DiscoveryvRealize Network InsightvRealize Log Insight
• Phased Deployment
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 30
Assess current environment
1
Network Assessment
Security Group Creation
2
Create Security Groups For All Applications
Identify Application Boundaries
3
Discover services, applications and their boundaries!
Get Recommended Firewall Rules
4
Application Discovery Recommendations from vRNI
Repeat, Monitor, Troubleshoot
5
Deploy micro-segmentation starting with most critical apps first!
5 Step ProcessRecommendations Micro-Segmentation Deployment
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 31
Recommendations Micro-Segmentation Deployment
• Alerts / Notifications
33
• Roles and Responsibilities
• Day 2 Support
• Training
PLANNING
• Application DiscoveryvRealize Network InsightvRealize Log Insight
• Phased Deployment
PRODUCTION DEPLOYMENT
• Greenfield Deployment• Brownfield Deployment
FIREWALL POLICY MODEL
• Application BasedDynamicAdvanced Security Services
• Infrastructure BasedGlobal PoliciesNetwork Based
OPERATIONALIZATION
VMworld 2019 Content: Not for publication or distribution
32©2019 VMware, Inc.
VMware IT’s Micro-Segmentation Journey
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 33
Zero-Trust Implementation – Micro-Segmentation Using NSX
VMware IT’s Journey
Start of Journey
Production Pilot
Greenfield
Deployments
POC – Securing Using NSX-T
Brownfield
Deployments
Operationalization PROD Pilots
Using NSX-T
Public Cloud
Security
Mar 2015 July
2015
July 2017
Jan
2019Nov 2015
June 2019
July2019
Mar 2016
NSX Intelligence
Oct
2019
VMworld 2019 Content: Not for publication or distribution
©2019 VMware, Inc. 34
ResourcesHow to get started
Design Guides Demos
Take a Hands-on Lab Join VMUG, VMware Communities (VMTN)
LEARN TRY
nsx.techzone.vmware.com
CONNECTTRY
@VMwareNSX#runNSXVMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution
VMworld 2019 Content: Not for publication or distribution